Once you’ve worked out the baseline skill standard for your development teams using tournaments, training, and assessments, the next thing to consider is creating a certification program.
Certification is about creating a set of levels within your company that are defined by certain skillsets or experience. It’s a way to help set goals for developers and offer them some well-deserved recognition for achieving them.
Determine Your Certification Levels
The first step in building a certification program would be to decide on a naming convention for your certification levels so you can build your program messaging.
Some ideas to consider:
- Belts (think Karate belt colors)
- Medals (platinum, gold, silver, bronze)
You can get creative for this, but the important part is that you lay down a repeatable learning path for newly ‘‘baseline certified’ developers to follow.
Determining the baseline is step one. For this article, we'll just go with "Levels". Everyone that passes the baseline is considered ‘Level 1’ or equivalent in your certification program.
A clearly defined certification program encourages developers to keep using the Secure Code Warrior® platform to build their skills with a view to gain further accreditation. (ie: a ‘Level 2’ certification)
Building Skills and Going Further
Moving on from the baseline, the goal should be to help developers seek the next level of certification on their way to helping uplift themselves and their teams. To move from one level to the next, consider creating "Certification Assessments" designed to meet certain criteria.
These "Certification Assessments" should:
- Be more challenging than general and baseline assessments
- Have hints disabled
- Have limited or no retries
- Include challenges that meet your certification criteria (Organization dependent)
Note: For more info about assessments, check out our Assessment Module Overview article.
Here’s how you might consider structuring the certification journey for developers. Take a look at the visual for a quick overview, then read on to see each level in more detail.
Certification Level 1
This is the minimum skill baseline requirement for all developers to reach so it’s quite important. The focus should be on identifying and fixing the key security weaknesses affecting your particular organization.
This baseline would be determined using results from a tournament and post-tournament assessments.
Example: If you identify 10 key company-specific weaknesses, the baseline skills can include identifying and remediating 3-5 of those vulnerabilities.
This leads to some very specific training that benefits developers in their day to day roles. To reach this certification level consider the following requirements:
- Having completed a certain number of assessments (generally 2 at this point)
- Successfully achieved the pass percentage on assessments
- Reached a minimum training point score (admin determined)
- Relevant learning videos have been consumed from the platform Resources section
The remainder of your company-specific vulnerabilities will be addressed with training and future assessments. The idea behind a 'Level 1' or baseline certification is that it's achievable for all developers, keeping in mind the different security awareness levels and the fact that new or junior devs joining your organization won't have prior knowledge of the specific key weaknesses your teams deal with.
Certification Level 2
By now, developers should be able to address all company or team-specific weaknesses. Open things up for 'Level 2' and focus on identifying and remediating OWASP Top 10 vulnerabilities. This training tends to be much broader, providing more learning and upskilling opportunities for developers.
This certification level is where you might see a few of your Senior Devs as they already offer a degree of mentorship to their peers.
Some 'Level 2' criteria examples:
- Successfully pass a "Level 2 Certification Assessment"
- Able to identify and remediate common OWASP Top 10 vulnerabilities
- The "go-to" person for support with day-to-day activities (including Secure Code Warrior Training)
- Excellent security awareness and an interest in sharing new knowledge and ideas
Progression to this level doesn’t have to happen immediately or at all. Each developer will have a different amount of time they can dedicate to training, so it’s important to keep that in mind.
Certification Level 3
To be 'Level 3' certified, developers should show an interest in advancing further. Skill-wise, they should be able to identify and remediate most of the OWASP Top 10 weaknesses. When doing training challenges, they should be using the 'hard' difficulty setting.
These developers will be very interested in finding new ways to examine coding security and share knowledge with those around them.
In addition to the criteria involved in the previous level, here are some 'Level 3' examples:
- Successfully pass a "Level 3 Certification Assessment"
- Encourage or introduce the use of new security tools, like pen-testing or static code analysis. This can shed some light on how your organization’s security awareness has changed while using Secure Code Warrior as part of a training program
- Mentor 'Level 2' and any other developers interested in further certification.
Certification Level 4
Becoming a Level 4 certified developer means a good amount of time spent focusing on vulnerabilities beyond the OWASP Top 10. This dev will be very proactive and up to date on current issues and vulnerabilities.
In addition to the criteria from the previous two levels, here are some to consider for 'Level 4':
- Comfortable giving an internal security presentation to their peers like new starters or contractors
- Take the lead on security testing and communicating about it with their teams. Depending on your organization, this can mean owning the project or working closely with a security team to make it happen
- Mentor 'Level 3' and any other developers interested in further certification
As you can see for most certification levels, peer support is a crucial component as it encourages open communication about skill-building and positive culture around learning.
How Much Certification is Required?
While it’s tempting to want all developers at a 'Level 4' certification, in reality, it may not suit everyone’s work style, company size, or rate of hire. Higher certification levels can often lean toward taking on more people-oriented roles whereas some developers are more passionate about building and coding.
The nice thing about a certification program is that it gives developers the option to choose how and when to build their skills and seek out individual growth opportunities.
This visual shows a common spread of the different certification levels most companies have.
Most of your developers will be 'Level 1' or 'Level 2' and this is totally fine; having a mix of different levels amongst your teams helps promote skill diversity. Their secure coding skills and awareness at these levels are excellent and will continue to increase by training in the Secure Code Warrior platform.
The goal with a certification program is not only to have highly decorated developers, but for the developers to have a hand in creating a positive skill-building culture they want to be a part of.